.Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)

.Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)

Bankers are being encouraged to register their domain names under the new .bank extension, and although there are reasons to consider making the switch, there are also many questions to answer.  Registration is currently open for institutions with a trademarked domain name.  Open registration begins June 23.

First of all, the regulators have not offered an opinion on this yet.  It’s important to note that all of the encouragement is coming from the folks profiting from the registrations…the ABA, Symantec, ICANN, and the multiple registrars (to be determined).  The least expensive registration I’ve seen is around $1,000 per year.  Multiply that by the number of FDIC insured banking institutions* (currently around 6,400) and you get a minimum $6.4M of new revenue each year.  So it’s easy to see why the proponents are excited…but what’s in it for you?  Will the significant increase in effort and expense pay off?

The proponents claim that “.BANK will be a protected, trusted, more secure and easily identifiable space…” on the Internet for banking institutions.  But converting will come at quite a cost to each institution, not just in terms of financial outlay, but time, energy and other resources as well.  And in the end, will the claims of the proponents be realized?

“It’s easy to see why the .bank proponents are excited, but will the significant effort and increased expense pay off for institutions?”

Let’s examine each claim, starting with “.bank will be more protected“.  It is true that there are multiple safeguards in place to prevent a non-qualifying business from registering a .bank domain.  There are 7 categories of banks and banking organizations that are considered qualified for registration, so consumers can have some level of assurance that xxx.bank is indeed a “qualifying” business.  So theoretically Bob can’t just start up a website called BobsBank.bank unless he is a bank, and in that sense the environment is more protected.

A more protected space goes hand-in-hand with another claimed advantage; an “easily identifiable space“.  I’m not sure this is a net advantage though.  Currently, if a bad actor wants to target a bank with malware (ransomware, for example) it has to determine that the website belongs to a bank.  Yes this is trivial, but there is at least some security in obscurity.  A .bank domain makes it crystal clear that the site is a bank, so you should expect an increase in spear-phishing attacks on .bank websites.  Also, having the .bank target on your back might make DDoS attacks more common (and none of the security enhancements will reduce the incidence of DDoS).  So the advantage of being “more protected” comes at a cost.

But the most often touted advantage of the new domains is that they are designed to be “more secure“.  This is definitely a good thing if it can be achieved.  Cybersecurity is a big concern for regulators right now, and anything that might enhance the security of the industry overall will be strongly encouraged.  (Again, regulators have not come out with a position for or against .bank yet.)

Here are the most significant security enhancements, with pluses and minuses for each:

Security Enhancement Stated Advantage Additional Considerations
Mandatory Verification of Charter/Licensure for Regulated Entities More restricted and potentially more protected space. No non-banks posing as banks. Banks will compete for choicest names, may not get domain you request (i.e. an existing .com does not guarantee a .bank with the same name.) Creates an easily identifiable target environment.
Mandatory Re-verification of Registration Data Ensures registrants maintain eligibility. Must remember to re-verify every 2 years or may lose registration.  Additional expense.
Domain Name Security Extensions (DNSSEC) Ensures users that bank website is legit. Most banks already use this feature.
Email Authentication Ensures users that bank email addresses are legit. Most banks already use this feature. Does not prevent spoofed incoming email or phishing.
Multi-Factor Authentication Ensures that only authorized bank personnel make registration changes. Theoretically useful, but most banks already have measures in place to prevent unauthorized registration changes.
Strong Encryption Ensures security of communication originating at the website. Most banks already have strong security measures in place.
Prohibition of Proxy/Privacy Registration Services. Prevents anonymous registrants. Registrant contact information will be readily accessible for all to see. May lead to increase in registrant spear-phishing attacks.
Domains must be hosted on .BANK Nameservers. Ensure all .bank sites adhere to security requirements. Theoretically useful, but may pose a challenge for banks that host separate informational and transactional sites (i.e. if the transactional site is hosted by a Core vendor.)

Finally, whether or not the new domain extension is “more trusted” depends on 2 things;  the rate of adoption among all banks, and whether or not the security advantages are realized.

The jury is still out on the security advantages, but regarding the rate of adoption…

* NCUA insured institutions are apparently out of luck for now, at least until the .CREDITUNION domain becomes available.

Print Friendly, PDF & Email
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

One comment

  1. Nice write up. I can tell you put some thought into it.

Write a Comment